Future Data Breaches: What to do Now so You’ll Know What to do Then

Kristy Headshot newestBy Kristy Grant-Hart
From Compliance & Ethics Professional, a publication for SCCE members.

You wake in a cold sweat from every compliance officer’s nightmare: In your dream, you saw that 10,000 of your customers’ credit card numbers and names were published on the Internet. Or worse, that your customers’ private member profiles, including sensitive information like the member’s religion or HIV status, were illegally accessed. This nightmare is a reality every day, somewhere in the world. Sometimes the data breaches are small, such as an employee inadvertently sending an attachment with personal information to the wrong email address, but sometimes a breach is gigantic and very public. Once a large breach has hit the news, shareholders often call for the firing of compliance or data protection officers within the company. Once you’ve woken up to the risk, what do you do to protect yourself?

[bctt tweet=”@ SCCE #DataBreach – Every #compliance officer’s worst nightmare – what to do now so you’ll know what to do then.” via=”no”]

The immediate response to a breach will likely be handled by your information security (IS) and information technology (IT) teams. However, there are several steps a compliance officer can take to be ready for the inevitable. It is often asserted that there are two types of companies: those who know they’ve been hacked, and those who don’t yet know they’ve been hacked. Here’s how to prepare for the worst.

The state of the law
Just a few years ago, data breach notification was mostly at the discretion of the company, as opposed to an obligation under the law. In Europe, even now, only a couple of countries require mandatory notification of a data breach, either to the data protection authority or to the affected people. This state of the law is rapidly changing. The new European data protection regulation contains a mandatory data breach notification provision for serious breaches. This mandatory notification requirement is likely to come into force throughout Europe in 2017 or 2018.

In the United States, each state has its own law. There is no over-arching federal law with data breach notification requirements. However, states from California to Florida have jumped on the notification bandwagon. Where the law requires notification to a governmental body, the state Attorney General is typically the overseeing authority.

Asian data protection law is also rapidly changing, with mandatory notification required for certain data breaches in South Korea. Within Asia, South Korea is considered to have one of the toughest data protection laws with stiff penalties, including potential imprisonment, for violation. Notification of a data breach to individuals should be made immediately, and if the data breach involves more than 10,000 people, the company must notify the Ministry of Safety and Planning as soon as possible.

Once you’ve been told about a data breach, you must think about notification. It’s important to remember that you need to answer two separate questions: (1) do I need to notify an authority? And (2) do I need to notify the people who have had their data compromised?

Notification of the data protection authorities and state Attorney Generals
Once you’ve established the law in the territories in which you process data or have offices, you can draft a template notification email or letter. Please be aware that every authority is different in terms of how it requires notification. However, having a template helps in the time of crisis around a data breach, and should expedite the notification process. The following template or checklist is based on an amalgamation of the requirements from several jurisdictions. Notifications should include the following information:

  • Name, street address, and email address of the authority.
  • Acknowledge that there was a data breach, or state that a data breach is believed to have occurred.
  • State what happened in a succinct way.
  • State the number of people who have had their information compromised.
  • Note the type of information accessed, including whether the compromised information includes sensitive personal information, such as religious beliefs, sexual orientation, union membership status, political affiliations, and health-related information.
  • Note whether the compromised information creates financial risk to the individual. This may include credit card numbers with PIN or password information or Social Security numbers.
  • Note the steps taken to stem the flow of information or to contain the breach.
  • Note steps taken or to be taken to notify those people whose data has been compromised.

Although you will not be able to fill out your template until you’ve had a breach, the template will serve as a checklist of information you need in order to move forward with notification.

Notifying individuals
Once you’ve determined whether you must tell an authority, the next question is whether you must notify the affected individuals. Once again, a template can be useful for preparing notification. The following information is recommended for your template:

  • Acknowledge that there was a data breach, or state that a data breach is believed to have occurred.
  • State what happened in a succinct way.
  • To the best of your capacity, note the exact type of information that was compromised. Be careful to note any compromised sensitive personal information or financial information that could have been compromised.
  • Note the steps taken to stem the flow of information or to contain the breach.
  • Note steps that can be taken by the individual to help to protect themselves from further harm. This may include changing passwords, changing PIN numbers, or checking credit reports.
  • Note steps being taken by the company to help those affected. For serious breaches, many companies offer free credit report monitoring for several months for people affected by a data breach. Some companies have also opened hotlines where people can call to obtain additional information in the aftermath of a large data breach.

The template will help you to quickly gather the information you need to respond to the crisis when it happens.

You will need to review the law at the time of the breach to determine how notice of the breach must be made. Sometimes individuals must be notified directly; other times public posting, such as on the Internet or in the papers, is considered effective.

Putting together a rapid response team
Long before you have a breach, you want to put together your rapid response team. A rapid response team is a group of individuals inside and outside the company who are ready to deal with a breach as soon as it happens. Most rapid response teams will need at least one individual from each of the following disciplines:

  • Compliance
  • Information Security
  • Information Technology
  • Communications
  • Business leadership
  • Legal

In addition, you should consider having on retainer a lawyer or law firm that is accustomed to responding to data breaches, particularly if you process data in multiple countries throughout the world. You may also consider having a professional public relations team or person ready to address the press or respond in social media to any criticisms or questions about the breach.

Put together an email distribution list specifically for your rapid response team and test it out to be sure people know how to respond if they find that a breach has occurred.

By putting together your templates now, and creating a rapid response team, you will have a framework to respond from when a breach occurs. The fact that you have a plan and dedicated resources should help you sleep better at night.

Kristy Grant-Hart (Kristy_Grant-Hart@uip.com) is the Chief Compliance Officer at United International Pictures in London.



  1. I could not agree more……
    As a business owner and having experienced the vulnerability of our data whether related to health information or any sensitive data, I can appreciate how important it is to be proactive and take preventative measures in order to keep organizations safe and secure. large organizations are taking the initiative to comply with the necessary preventative measures by having some kind of rapid response team, protocol or standard operating procedures. However, we still have a long way ahead to reach a reasonable quality of information security rapid response or protocols for small and medium size businesses.
    Adam Tabriz, MD
    AAHCC Consultancy

  2. Criminals and cyber threat actors look to exploit the vulnerabilities in organization network.Breaches are widely observed in the healthcare sector and can be caused by many different types of incidents, including credential stealing malware, an insider who either purposefully or accidentally discloses patient data, or lost laptops or other devices. Cyber criminals earn higher incentives by stealing medical databases. Healthcare organizations need to be more vigilant against cyberattacks. Proper employee training is a best way to avoid cyber attacks. Majority cyberattacks happened due to lack of employee knowledge on this topic. Cybersecurity related online communities become a good reference for employees to get more information. I would like to suggest Opsfolio.com, an online community for those involved with healthcare cyber security, which is a right guide for me to get healthcare cybersecurity informations.

Comments are closed.